request.clients.cmp_client

CMP (Certificate Management Protocol) client implementation.

This client enables Trustpoint to communicate with external CMP servers in two modes: 1. Direct client: Trustpoint requests certificates for itself 2. Registration Authority (RA): Trustpoint forwards device requests to upstream PKI

Module Contents

request.clients.cmp_client.DEFAULT_CMP_PORT = 443[source]
request.clients.cmp_client.DEFAULT_CMP_TIMEOUT = 30[source]
exception request.clients.cmp_client.CmpClientError[source]

Bases: Exception

Base exception for CMP client errors.

class request.clients.cmp_client.CmpClient(context, timeout=DEFAULT_CMP_TIMEOUT)[source]

Bases: trustpoint.logger.LoggerMixin

CMP client for communicating with CMP servers according to RFC 9483.

This client implements the CMP protocol for forwarding PKI messages to upstream CMP servers. It supports two primary use cases:

  1. Trustpoint as CMP client: Trustpoint creates and sends its own CMP requests to obtain certificates from an upstream PKI.

  2. Trustpoint as Registration Authority (RA): Trustpoint receives CMP requests from devices, validates them, and forwards them to an upstream PKI, acting as a trusted intermediary.

The client works with complete rfc4210.PKIMessage objects, allowing full control over the CMP protocol interaction.

Parameters:
context[source]
timeout = 30[source]
send_pki_message(pki_message, *, add_shared_secret_protection=False)[source]

Send a PKI message to the CMP server and return the response.

Parameters:
  • pki_message (pyasn1_modules.rfc4210.PKIMessage) – The complete PKI message to send. This should be a properly constructed rfc4210.PKIMessage with header and body.

  • add_shared_secret_protection (bool) – If True, adds HMAC-based protection using the shared secret from context. If False, the message must already be protected.

Returns:

A tuple of (parsed_response_message, raw_response_bytes). The raw bytes are preserved for DER-level certificate extraction.

Raises:

CmpClientError – If the request fails or response is invalid.

Return type:

tuple[pyasn1_modules.rfc4210.PKIMessage, bytes]

send_and_extract_certificate(pki_message, *, add_shared_secret_protection=False)[source]

Send a certification/initialization request and extract the issued certificate.

Convenience method that combines send_pki_message() and certificate extraction for the common case of requesting a certificate.

Parameters:
  • pki_message (pyasn1_modules.rfc4210.PKIMessage) – The CR or IR PKI message to send.

  • add_shared_secret_protection (bool) – Whether to add HMAC protection.

Returns:

A tuple of (issued_certificate, chain_certificates). The chain certificates are from the extraCerts field of the response.

Raises:

CmpClientError – If the request fails or certificate extraction fails.

Return type:

tuple[cryptography.x509.Certificate, list[cryptography.x509.Certificate]]